Keylogger Running Under Kaspersky 2009

The last posts clearly show It is well known that static virus detection is not something AV vendors do well enough. Now this one is quite a story. As I was researching many trojans I was moving files into and out of my Virtual PC machine used to test viruses. My computer has kaspersky 2009 installed and running with maximum security settings (including keyloggers and kernel object modifications).

I accidentally executed without noticing on my host PC one of the samples I was testing in the VM. I was using my computer as usual and I began noticing some kind of tiny delays when typing a lot of text, the kind of delays I was experiencing when I first wrote my first keylogger. I was completely surprised to have this suspicious since I felt “almost safe” with my updating every 4 hours Kaspersky 2009.

Opening “Process Explorer” I began examining the running processes and noticed some wiered dll files running in all my processes.
kbdth2sys.dll
kbdvntcapi.dll
They were in system32 and these are the AV test results for these 2 files day (also 2 month ago):

I was surprised by two things:
1) Kaspersky Anti-Keylogger “live protection” compromised all my personal information
2) Symantec was the only AV really detecting this and as a keylogger, which is very funny because their AV is a joke, I will send a few posts about that later

I can’t believe this! I am now uploading the files again to virustotal to see the updated scan results for today and i notice this:

The file was first received by virustotal in 2007.10.23 which is 1 year ago!!!!!!!!!
This only proves us 2 things:
1) The malicious code writers WERE INDEED using virustotal’s “don’t distribute samples to AV vendors” which was lately removed!
2) All Anti-Viruses didn’t detect this wide spread keylogger which is used to steal peoples information for THE LAST YEAR!!!

I here by thank the creator of the matrix for letting me find it on my PC after just 2 days.
Here are today’s result for kbdth2sys.dll:

http://www.virustotal.com/en/analisis/ae172aaf34a59733d149476e4b4bcb9c

So after 1 YEAR it has been undetected and 2 MONTH after the AV vendors got my uploaded samples we get this amazing 10 of 36 result which leaves it undetected for: Kaspersky, DrWeb, McAfee, BitDefender, Microsoft, Panda, F-Secure, Fortinet and others…

As for kbdvntcapi.dll after all this, detection hasn’t really changed, 4 heuristic detections and 1 symantec keylogger detection, still a sad story (at least for most people :)

http://www.virustotal.com/he/analisis/d51626cb8f0b04219b0ad4c010036f0d

Well, I uninstalled my kaspersky 2009 :)

Share
  • http://www.virusbtn.com/ Martijn

    Don’t be fooled by the “2009″ in many product names: October 2007 is less than one year ago…

  • http://anti-virus-rants.blogspot.com kurt wismer

    the author is being lazy and ought to read some of the various good posts out there about how virustotal does *not* represent the true detection capabilities of the products it includes and can therefore not reasonably be used to support the ‘av sucks/is failing/has failed/is dead’ argument…

    the fact that he coincidentally got infected without any alarms from the av product in question only demonstrates the well known and completely reasonable fact that all preventative measures fail some times (in other words “nothing’s perfect”)… it also illustrates that he likely wasn’t using whitelisting on his host system but probably should have been…

  • VitaliK

    Kaspersky 2009 it is continuous errors, conflicts, not beautiful and very much not the convenient program, and viruses does not see, how that was for a long time!!! Very low degree of quality! Brakes! And all because a place of that what to work, they throw mud at other antiviruses, and at them the test of antiviruses))

  • raido

    so did the keylogger had the chance to send out data to its creators? or how was this one working.

  • http://rafelivgi.blogspot.com/ Rafel Ivgi

    yes it did, lets hope there database was down at that time :)

  • http://networksecurity.typepad.com/ Juha-Matti

    Thanks for correcting the entry (mentioning ‘which is 1 year ago’ instead of 2 years) :-)

  • internetwork solutions

    thats the reason I never trust kasperskey.
    ccie security training in thailand